Remove GIT_STRATEGY: none from DAST CI template to support authentication scripts feature

Problem

The DAST CI template currently sets GIT_STRATEGY: none in the dast job configuration (line 36 of lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml). This prevents the project code from being checked out during the DAST scan.

This configuration is blocking the authentication scripts feature, which requires access to the project's repository files to execute custom authentication scripts.

This came up in a customer ticket (internal).

Proposal

Remove the GIT_STRATEGY: none setting from the DAST CI template to allow the default Git checkout behavior. This will enable DAST to access project files, specifically authentication scripts stored in the repository.

Current configuration 

dast:
  stage: dast
  image:
    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION$DAST_IMAGE_SUFFIX"
  variables:
    GIT_STRATEGY: none  # <-- This needs to be removed
  allow_failure: true
  script:
    - if [[ -f "environment_url.txt" ]]; then DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"; export DAST_WEBSITE; fi
    - /analyze

Proposed configuration 

dast:
  stage: dast
  image:
    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION$DAST_IMAGE_SUFFIX"
  # Remove GIT_STRATEGY: none to allow checkout for authentication scripts
  allow_failure: true
  script:
    - if [[ -f "environment_url.txt" ]]; then DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"; export DAST_WEBSITE; fi
    - /analyze

Benefits

  • Enables the authentication scripts feature to access repository files
  • Allows users to store authentication logic alongside their application code
  • Maintains consistency with other security scanning templates that perform repository checkouts

Implementation tasks

  • Remove GIT_STRATEGY: none from lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
  • Update lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml if it also contains this setting
  • Update documentation to reflect the change in behavior
  • Test that authentication scripts feature works correctly with the updated template
  • Verify that existing DAST scans continue to work as expected
Edited by Michael Eddington